Command Line Interface

LibreCrypt: Open-Source disk encryption for Windows

The latest version of this document can be found at the LibreCrypt project site

Command Line Interface

LibreCrypt supports passing parameters via a command line interface.

Synopsis

LibreCrypt.exe /mount /volume <volume> [/freeotfe | /linux] [/readonly] [/drive <drive letter>]
           [/offset <offset>] [/nocdbatoffset]
           [/keyfile <keyfile>] [/keyfileisascii] [/keyfilenewline {CRLF|LF|CR}]
           [/lesfile <LES file>]
           [/saltlength <saltlength>] [/keyiterations <keyiterations>]
           [/password <password>] [/silent] [/noexit] [/minimize]
           [/settings <settings file>]

LibreCrypt.exe /dismount {<drive letter>[:] | all} [/force]

LibreCrypt.exe /count

LibreCrypt.exe /create

LibreCrypt.exe /portable {start | on | 1 | stop | off | 0 | toggle} [/silent]

LibreCrypt.exe /drivercontrol gui
LibreCrypt.exe /drivercontrol count [/type {total | portable | installed}]
LibreCrypt.exe /drivercontrol install /filename {<driver filename> | all} [/silent]
LibreCrypt.exe /drivercontrol uninstall /drivername {<driver name> | all} [/silent]

Description

LibreCrypt has command line parameters so most operations can be run from the command line or MS Windows shortcuts.

Note on terminology

In the LibreCrypt GUI and documentation aimed at new users, easy to understand words like 'open', 'container' and 'lock' are used. In documentation aimed at more advanced users (like this page) standard file system terms are used, as follows:

LibreCrypt Volume A container

Volume A 'Container', perhaps for a legacy app

Mount a volume Open a Container

Dismount a volume Close a Container

Flush keys for a volume Lock a Container

LibreCrypt was previously known as 'FreeOTFE'. The driver that handles native container volumes ('containers') is still known as the 'FreeOTFE' driver and the name is preserved in some filenames and command line parameters.

Options

"-" may be used instead of "/", if required.

Note: Although there is currently no option to specify which drive letter a volume should be mounted as, this may be set on any given container by selecting "Tools | Change volume/keyfile password/details..."

/count
Count the number of open containers. Exit code indicates the appropriate number (or error code; see below)

/create
Create new container

/dismount {<drive letter>[:] | all}
Dismount indicated drive/all drives

/drive <drive letter>
Drive letter to be used when mounting the volume

/drivercontrol count [/type {total | portable | installed}]
Return count of drivers as exit code; total drivers present/count installed in portable mode/count formally installed. If "/type" is not specified, "/type total" is assumed

/drivercontrol gui
Display driver control dialog

/drivercontrol install /filename {<driver filename> | all}
Install specified driver, or all drivers in the current working directory

/drivercontrol uninstall /drivername {<driver name> | all}
Uninstall specified driver, or all installed drivers. Note that this takes the driver name, not the driver's filename (Important: Don't attempt to uninstall drivers which are currently in use; e.g. by a mounted volume)

/force
When dismounting, force dismount (emergency dismount)

/freeotfe
The specified volume is a container. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information.

/keyfile <keyfile>
Keyfile to be used when opening a container. Only valid when opening containers

/keyfileisascii
Only valid when mounting Linux LUKS volumes. If this flag is specified, the keyfile will be treated as containing ASCII password. Otherwise the keyfile will be treated as containing binary data. Default is to treat as binary.

/keyfilenewline {CRLF|LF|CR}
Only valid when mounting Linux LUKS volumes. If /keyfileisascii is specified, the first newline found in the keyfile will be treated as an EOF. This option specifies what constitutes a newline. Default is "LF".

/keyiterations <keyiterations>
The number of key iterations

/lesfile <LES file>
File from which to read Linux encryption settings from. Only valid when mounting non-LUKS Linux volumes

/linux
The specified volume is a Linux volume. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information.

/mount
Mount indicated file/partition

/minimize
Minimise main window when run

/nocdbatoffset
Indicates there is no CDB stored from the offset specified by "/offset". Only meaningful when both "/offset", "/freeotfe" and "/keyfile" are used.

/noexit
Normally, when run with command line parameters, LibreCrypt carries out the requested action and exits. Specifying this parameter will cause LibreCrypt to continue running

/offset <offset>
Use specified offset when mounting. This may be specified using GB/MB/KB units, or with no units for an offset in bytes (e.g. 5GB or 5368709120 for a 5GB offset). Note: If the value used for the offset has has a space in it, it should be surrounded by quotes (e.g. "10 GB" or 10GB are both valid)

/password <password>
The password to be used. It is not recommended that this is used; particularly in shortcuts, as this would involve storing your password in plaintext such that anyone can read it!

/portable {start | on | 1 | stop | off | 0 | toggle}
Turn on/off portable mode

/readonly
Mount the volume readonly

/settings
Use specified file for program settings, instead of normal settings location

/silent
Can be used when installing/uninstalling drivers and changing portable mode to suppress dialogs, and also when mounting a volume to prevent the password entry dialog showing

/saltlength <saltlength>
The length of the salt (in bits)

/volume <volume>
The volume filename/partition to be used. When using a volume file, this should be set to the full path and filename of a volume file. Partitions should be specified in the form: "\Device\HarddiskX\PartitionY", where X is 0 based, while Y starts from 1 to indicate a particular partition, or 0 to indicate the entire disk. Important: If the volume filename has any spaces in it, then it should be enclosed in double quotes (").

/SetTestMode <on|off>
Set or unset Windows 'test mode' to allow unsigned drivers in 64 bit Windows 7 or above

/SetInstalled
Sets a flag in the ini file to indicate the app has been installed. Without this flag, LibreCrypt will attempt to install the drivers at startup

/dev_menu
Enables an extra 'developer' menu, used for testing

Note: Under Windows Vista, the "install" and "uninstall" options require LibreCrypt.exe to be explicitly "runas" an account with administrator privileges, if not being executed from a process which has already been escalated; see examples below. The "/portable" will automatically escalate to administrator privileges, if required

Exit Codes

When run at the command line, LibreCrypt will terminate with one of the following exit codes:

Exit code Meaning

0 Success

100 Invalid/unrecognised command line

101 Unable to connect to FreeOTFE driver; check driver is installed or portable mode is started

102 Unable to mount volume

103 Unable to dismount volume

104 Unable to start portable mode

105 Unable to stop portable mode
106 The requested operation requires administrative privileges

999 Other error

Exit code	Meaning
0	Success
100	Invalid/unrecognised command line
101	Unable to connect to FreeOTFE driver; check driver is installed or portable mode is started
102	Unable to mount volume
103	Unable to dismount volume
104	Unable to start portable mode
105	Unable to stop portable mode
106	The requested operation requires administrative privileges
999	Other error

Examples

Opening a container:

LibreCrypt.exe /mount /volume "C:\My Private Data\my encrypted volume.vol" /freeotfe

Mounting a Linux volume readonly:

LibreCrypt.exe /mount /volume "C:\My Private Data\my encrypted volume.vol" /linux /readonly

Mounting a container partition::

LibreCrypt.exe /mount /volume "\Device\Harddisk0\Partition1" /freeotfe /readonly

Dismount drive "S:":

LibreCrypt.exe /dismount S:

Dismount all volumes, emergency:

LibreCrypt.exe /dismount all /force

Start and stop portable mode:

LibreCrypt.exe /portable start
LibreCrypt.exe /portable stop

Installing drivers (except Windows Vista):

LibreCrypt.exe /drivercontrol install /filename FreeOTFE.sys
LibreCrypt.exe /drivercontrol install /filename FreeOTFEHashSHA.sys
LibreCrypt.exe /drivercontrol install /filename FreeOTFECypherAES_ltc.sys
LibreCrypt.exe /drivercontrol install /filename all

Installing drivers (Windows Vista):

runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFE.sys
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFEHashSHA.sys
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol install /filename FreeOTFECypherAES_ltc.sys

Uninstalling drivers (except Windows Vista):

LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFE
LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFEHashSHA
LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFECypherAES
LibreCrypt.exe /drivercontrol uninstall /drivername all

Uninstalling drivers (except Windows Vista):

runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFE
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFEHashSHA
runas /user:myAdminAccount LibreCrypt.exe /drivercontrol uninstall /drivername FreeOTFECypherAES

LibreCrypt Volume	A container
Volume	A 'Container', perhaps for a legacy app
Mount a volume	Open a Container
Dismount a volume	Close a Container
Flush keys for a volume	Lock a Container

/count	Count the number of open containers. Exit code indicates the appropriate number (or error code; see below)
/create	Create new container
/dismount {<drive letter>[:] \| all}	Dismount indicated drive/all drives
/drive <drive letter>	Drive letter to be used when mounting the volume
/drivercontrol count [/type {total \| portable \| installed}]	Return count of drivers as exit code; total drivers present/count installed in portable mode/count formally installed. If "/type" is not specified, "/type total" is assumed
/drivercontrol gui	Display driver control dialog
/drivercontrol install /filename {<driver filename> \| all}	Install specified driver, or all drivers in the current working directory
/drivercontrol uninstall /drivername {<driver name> \| all}	Uninstall specified driver, or all installed drivers. Note that this takes the driver name, not the driver's filename (Important: Don't attempt to uninstall drivers which are currently in use; e.g. by a mounted volume)
/force	When dismounting, force dismount (emergency dismount)
/freeotfe	The specified volume is a container. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information.
/keyfile <keyfile>	Keyfile to be used when opening a container. Only valid when opening containers
/keyfileisascii	Only valid when mounting Linux LUKS volumes. If this flag is specified, the keyfile will be treated as containing ASCII password. Otherwise the keyfile will be treated as containing binary data. Default is to treat as binary.
/keyfilenewline {CRLF\|LF\|CR}	Only valid when mounting Linux LUKS volumes. If /keyfileisascii is specified, the first newline found in the keyfile will be treated as an EOF. This option specifies what constitutes a newline. Default is "LF".
/keyiterations <keyiterations>	The number of key iterations
/lesfile <LES file>	File from which to read Linux encryption settings from. Only valid when mounting non-LUKS Linux volumes
/linux	The specified volume is a Linux volume. If a volume type (LibreCrypt/Linux) isn't specified, the user will be prompted for this information.
/mount	Mount indicated file/partition
/minimize	Minimise main window when run
/nocdbatoffset	Indicates there is no CDB stored from the offset specified by "/offset". Only meaningful when both "/offset", "/freeotfe" and "/keyfile" are used.
/noexit	Normally, when run with command line parameters, LibreCrypt carries out the requested action and exits. Specifying this parameter will cause LibreCrypt to continue running
/offset <offset>	Use specified offset when mounting. This may be specified using GB/MB/KB units, or with no units for an offset in bytes (e.g. 5GB or 5368709120 for a 5GB offset). Note: If the value used for the offset has has a space in it, it should be surrounded by quotes (e.g. "10 GB" or 10GB are both valid)
/password <password>	The password to be used. It is not recommended that this is used; particularly in shortcuts, as this would involve storing your password in plaintext such that anyone can read it!
/portable {start \| on \| 1 \| stop \| off \| 0 \| toggle}	Turn on/off portable mode
/readonly	Mount the volume readonly
/settings	Use specified file for program settings, instead of normal settings location
/silent	Can be used when installing/uninstalling drivers and changing portable mode to suppress dialogs, and also when mounting a volume to prevent the password entry dialog showing
/saltlength <saltlength>	The length of the salt (in bits)
/volume <volume>	The volume filename/partition to be used. When using a volume file, this should be set to the full path and filename of a volume file. Partitions should be specified in the form: "\Device\HarddiskX\PartitionY", where X is 0 based, while Y starts from 1 to indicate a particular partition, or 0 to indicate the entire disk. Important: If the volume filename has any spaces in it, then it should be enclosed in double quotes (").
/SetTestMode <on\|off>	Set or unset Windows 'test mode' to allow unsigned drivers in 64 bit Windows 7 or above
/SetInstalled	Sets a flag in the ini file to indicate the app has been installed. Without this flag, LibreCrypt will attempt to install the drivers at startup
/dev_menu	Enables an extra 'developer' menu, used for testing